[Oisf-users] Rotate unified2 log with live rules reload
Peter Manev
petermanev at gmail.com
Sun Dec 6 19:33:43 UTC 2015
On Sun, Dec 6, 2015 at 6:25 PM, Jason Ish <lists at unx.ca> wrote:
> On Fri, Dec 4, 2015 at 9:26 AM, Brian Hennigar <bhennigar at gmail.com> wrote:
>> Hi!
>> Is it possible to have suricata start writing to a new unified2 file with a
>> USR2 signal is sent for a live reload of the rules? I'm not seeing a way to
>> do this without fully restarting suricata. I'm not wanting to set a limit
>> size on the unified2 files but wanting it to make a new one every few hours.
>> Right now, I'm fully restarting suricata to get a new file created.
>
> There is no way to do that now, but I think something similar would
> make a reasonable feature request:
>
> - Give the unified2 output a "nostamp" option like Snort.
> - If nostamp is on, subject the unified2 output to HUP file rotation.
>
> Then you could do file rotation like you would done on other output
> files like eve. Move the existing one out of the way, HUP Suricata to
> start writing to a new file.
>
This would make a nice feature request indeed!
> Jason
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list